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ABSTRACT 


As  networks  grow,  their  vulnerability  to  attack  increases.  DoD  networks 
represent  a  rich  target  for  a  variety  of  attackers.  The  number  and  sophistication  of  attacks 
continue  to  increase  as  more  vulnerabilities  and  the  tools  to  exploit  them  become 
available  over  the  Internet.  The  challenge  for  system  administrators  is  to  secure  systems 
against  penetration  and  exploitation  while  maintaining  coimectivity  and  monitoring  and 
reporting  intrusion  attempts. 

Traditional  intrusion  detection  (ID)  systems  can  take  either  a  network  or  a  host- 
based  approach  to  preventing  attacks.  Many  networks  employ  network-based  ID  systems. 
A  more  secure  network  will  employ  both  techniques.  This  thesis  will  analyze  the  benefits 
of  installing  host-based  ID  systems,  especially  on  the  critical  servers  (mail,  web,  DNS) 
that  lie  outside  the  protection  of  the  network  ID  system/Firewall.  These  servers  require  a 
layer  of  protection  to  ensure  the  security  of  the  entire  network  and  reduce  the  risk  or 
attack. 

Three  host-based  ID  systems  will  be  tested  and  evaluated  to  demonstrate  then- 
benefits  on  Windows  2000  Server.  The  proposed  added  security  of  host-based  ID 
systems  will  establish  defense-in-depth  and  work  in  conjimction  with  the  network-based 
ID  system  to  provide  a  complete  security  umbrella  for  the  entire  network 
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1.  INTRODUCTION 


Over  the  last  6  years,  Government  and  defense  agencies  in  the  United 
States  have  been  victim  to  literally  millions  of  attacks  originating  from  the 
internet.  Due  to  the  low  information  security  budgets  and  the  weak 
security  policies  of  such  agencies,  information  security  has  become  an 
uphill  battle,  as  government  and  military  servers  are  constantly  being 
probed  and  attacked  by  crackers. 

The  Network  Security  Solutions,  Ltd.,  FIST  Staff,  February  2001. 

A.  BACKGROUND 

As  the  digital  generation  continues  to  expand,  so  does  the  use  of  personal 
computers  for  worldwide  cormectivity.  This  expansion  has  resulted  in  a  myriad  of 
complex  computer  security  issues  especially  a  greater  susceptibility  to  exploitation  and 
attack.  The  importance  of  maintaining  safe,  secure  and  efficient  communications  has 
increased,  but  the  ability  to  do  so  has  become  increasingly  more  complex.  As  networks 
expand,  the  need  to  adopt  a  defense-in-depth  posture  of  providing  system  security  is 
amplified.  The  Department  of  Defense  (DoD)  relies  on  computers  for  nearly  every  aspect 
of  its  operation;  DoD  computer  networks  are  a  rich  target  for  all  attackers,  foreign  and 
domestic,  professional  and  novice,  insider  and  outsider.  Information  warfare  can  be 
waged  extensively  on  computers,  whether  it  is  denial  of  services,  exploitation  of 
information,  defacing  web  sites  or  deception.  The  number  and  sophistication  of  computer 
attacks  has  steadily  grown  as  more  vulnerabilities  have  been  found  and  tools  to  exploit 
those  vulnerabilities  have  become  more  readily  available.  The  challenge  currently  facing 
government  information  system  security  managers  is  to  secure  government  systems 
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against  exploitation  and  penetration  while  maintaining  the  availability  of  government 
systems,  ensuring  the  authenticity  and  integrity  of  data  transmitted,  and  establishing  an 
effective  means  of  monitoring  and  reporting  intrusion  attempts. 

Intrusion  detection  (ID)  systems  may  offer  a  solution  to  the  defense-in-depth 
strategy  of  protecting  government  networks.  It  is  critical  not  only  to  prevent  unauthorized 
access  to  government  systems  but  also  to  have  an  alert  mechanism  to  notify  government 
persoimel  of  intrusion  attempts,  successful  or  unsuccessful.  Every  organization  should 
know  who  is  attempting  to  enter  their  network  and  why.  Intrusion  detection  systems 
seem  to  be  the  logical  complement  to  network  firewalls.  An  ID  system  will  extend  the 
system  administrators’  security  management  capabilities  to  include  security  audit, 
monitoring,  attack  recognition,  and  response.  There  are  numerous  commercial  off-the- 
shelf  (COTS)  products  designed  to  accomplish  this  goal.  A  thorough  evaluation  is 
necessary  to  determine  whether  one  of  these  products  can  successfully  satisfy  government 
requirements  and  enhances  the  standard  of  security  for  individual  commands.  This  thesis 
will  evaluate  Windows  2000  Server  vulnerabilities  and  review  ftree  host-based  Intrusion 
Detection  Systems:  BlackICE,  ZoneAlarm  and  Sygate.  The  objective  of  this  thesis  is  to 
provide  an  analysis  of  the  benefit  of  utilizing  host-based  ID  systems  inside  and  outside 
the  network  firewall. 

To  establish  a  baseline  for  evaluating  intrusion  detection  systems  certain  terms 
need  to  be  defined. 
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B.  INTRUSIONS 


An  intrusion  is  an  attempt  to  break  into  or  misuse  a  system.  An  intrusion  can  be 
any  set  of  actions  that  attempt  to  compromise  the  integrity,  confidentiality  or  availability 
of  a  resource.  In  a  military  environment  intrusions  can  be  used  for  multiple  purposes 
including  compromise  of  information,  denial  of  services,  information  warfare  and 
deception. 

In  September  2000,  a  large  financial  services  company  had  their  computer 
systems  hacked,  and  credit  card  numbers  for  over  20,000  people  were 
stolen.  [Ref  1] 

In  1999,  hackers  hijacked  nearly  500,000  credit  card  numbers  and  stored 
them  on  United  States  government  computers.  [Ref  2] 

The  intrusion  process  begins  when  an  intruder  takes  steps  to  fulfill  an  objective. 
The  objective  could  be  any  type  of  attack  including  the  theft  of  information,  corruption  of 
files,  defacing  a  web  site,  or  causing  a  denial  of  service.  An  essential  component  of  an 
intrusion  is  taking  advantage  of  one  or  more  vulnerabilities.  The  vulnerabilities  exploited 
in  this  process  can  range  fi’om  a  software  deficiency,  such  as  a  buffer  overflow,  to  a  flaw 
in  an  organizational  structure  that  enables  sensitive  information  such  as  logins  and 
passwords  to  be  determined  through  social  engineering.  The  intrusion  process  ends  when 
some  or  all  of  the  objectives  are  achieved  or  the  intruder  gets  discouraged  and  gives  up. 
One  goal  of  an  Intrusion  Detection  System  is  to  discourage  an  attacker  to  the  point  that  he 
gives  up. 
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Attack  objectives  can  range  from  sensitive  information  being  stolen  to  denial  of 
service  (DOS).  For  example,  an  attacker  can  download  sensitive  information  from  the 
FTP  or  web  server  from  the  external  host  that  is  acting  as  a  bridge  between  the  Internet 
and  the  internal  network.  A  denial  of  service  attack  would  attempt  to  overwhelm  the 
network  to  the  point  that  it  can  no  longer  function  properly.  Common  forms  of  this  attack 
include: 

•  SYN  Flood 

•  ICMP  Flood  (ping  flood) 

•  Smurf  Attack 

•  Mail  Bombs 

•  Host  System  Hogging 

•  Rogue  Applets 

The  University  of  California  at  San  Diego  stated  in  a  recent  study  that  more  than 
4000  Denial  of  Service  attacks  are  unleashed  every  week.  In  February  2000  one  such 
DOS  attack  crippled  Ebay,  Yahoo!,  CNN,  Datek,  E*Trade,  ZDNet  and  several  other  Web 
sites  for  several  hours.  Although  this  kind  of  attack  is  not  destructive,  in  that  no  files  are 
altered  or  destroyed,  the  Web  site's  ability  to  conduct  business  is  severely  impaired  or 
completely  interrupted  for  a  period  of  hours  or  days.  In  a  military  environment  where 
information  flow  is  critical  to  mission  success,  this  type  of  attack  could  be  disastrous. 

ID  systems  can  provide  protection  from  some  of  these  attacks.  When  the  system 
receives  a  SYN  packet,  the  ID  system  can  determine  if  it  is  coming  from  a  legitimate, 
authorized  IP  address.  If  the  SYN  packet  is  not  from  a  valid  IP  address  or  if  the  request 
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fits  a  certain  suspicious  pattern,  a  message  is  sent  to  the  firewall  to  reject  subsequent  SYN 
packets  firom  that  IP  address.  It  is  imperative  that  the  ID  system  has  the  capability  of 
preventing  unauthorized  outgoing  connections. 

Intruders  who  conduct  such  attacks  can  fall  into  two  broad  categories:  Outside 
Intruders  and  hiside  bitruders.  Most  people  perceive  the  outside  world  to  be  the  largest 
threat  to  their  security.  The  media  scare  over  “hackers”,  “crackers”  and  “attackers” 
coming  in  over  the  Internet  has  only  heightened  this  perception.  However,  FBI  studies 
have  revealed  that  ninety  percent  of  U.S.  companies  experienced  Internet  fi^ud  over  the 
past  two  years  and  ei^ty  percent  of  intrusions  and  attacks  came  firom  within  an 
organization.  A  mechanism  is  needed  to  detect  both  types  of  intrusions  --  a  break-in 
attempt  firom  the  outside  and  a  malicious  attack  firom  a  knowledgeable  insider. 

C.  INTRUSION  DETECTION  SYSTEMS 

In  a  world  of  firewalls  and  security  auditing  tools,  why  is  a  real-time 

intrusion  detection  system  needed?  Similar  to  the  use  of  security  cameras  and 
burglar  alarms  on  a  locked  and  guarded  building,  an  ID  system  should  be  used  on 
a  secme  network  for  the  following  reasons: 

1 .  Depth  of  defense:  no  matter  how  many  security  measures  you  have  in  place,  if 
they  are  defeated,  it  is  necessary  to  have  a  system  that  identifies  this 
immediately  -  a  "burglar  alarm. 

2.  Efficiency:  ID  systems,  like  security  cameras  and  alarms,  allow  an 
organization  to  leverage  fewer  staff  members  to  monitor  and  secure  a  larger 
area  in  an  automated  manner.  It  is  cost  and  resource-prohibitive  to  place 
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firewalls  everywhere  on  the  network  and  run  security  audits  at  all  hours  of  the 
day. 

3.  Route  tracing:  ID  systems  can  provide  incriminating  forensic  evidence  that 
may  not  otherwise  be  available  fi-om  firewall  or  audit  logs  (again  fulfilling  the 
role  of  the  security  camera). 

4.  “Beware  of  Dog”  sign  effect:  similar  to  the  sign  on  a  fence,  a  prominently 
displayed  notice  of  intention  to  monitor  traffic  is  often  the  only  dissuasion 
attackers  need  to  move  on  to  another  site  with  less-formidable  security 
obstacles. 

Hardware-based  network  firewalls  are  ideal  for  implementing  security 
policies  between  networks,  but  they  can  be  expensive,  comphcated,  inflexible, 
and  quickly  outdated-susceptible  to  new  attacks.  They  may  also  be  rendered 
ineffective  by  dialup  access  weaknesses,  encryption,  VPN’s,  and  remote  users 
connecting  directly  to  the  Internet  firom  home. 

1.  Types  Of  Intrusion  Detection  Systems 

Most  traditional  intrusion  detection  systems  take  either  a  network  or  a  host-based 
approach  to  recognizing  and  preventing  attacks.  A  host-based  ID  system  is  designed  to 
monitor  the  system  on  which  it  is  installed.  A  traditional  host-based  ID  system  monitors 
the  Operating  System  for  attack  signatures  within  log  files  or  audit  trails.  A  host-based 
ID  system  can  also  be  used  to  monitor  a  specific  application  or  database  server. 
Currently,  host-based  ID  system  technologies  are  adapting  to  the  changing  industry,  and  a 
host-based  ID  system  can  employ  a  variety  of  techniques.  A  network-based  ID  system 
looks  for  specific  patterns  or  attack  signatures  that  indicate  malicious  or  suspicious  intent 
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within  network  traffic.  Network  ID  systems  can  use  two  different  databases  to  identify 
intrusions:  a  built-in  static  signature  database  or  a  dynamic  signature  database  that 
constantly  monitors  the  system  operations  and  updates  its  database  automatically.  Figure 
1  below  illustrates  both  types  of  ID  s)^tems. 


Figure  1  -  Types  of  ID  Systems  [From  Ref  3] 


The  host-based  ID  system  resides  at  the  Application  Layer  of  the  OSI  model  on 
the  host  as  seen  in  Figure  2  and  is  therefore  restricted  to  monitoring  the  audit  trails  of  the 
operating  system  or  applications.  The  Network-based  ID  system  resides  on  a  separate 
computer  fi-om  the  server  and  monitors  all  network  traffic  and  audit  data  between  the 
server  and  the  clients.  The  Network  ID  system  monitors  information  flow  at  all  layers  of 
the  OSI  model  as  depicted  in  Figure  3.  Each  approach  has  its  strengths  and  weaknesses, 
and  each  is  complementary  to  the  other.  A  truly  effective  intrusion  detection  system  will 
employ  both  technologies,  providing  a  defense-in-depth.  The  personal  ID  systems 
evaluated  in  this  thesis  will  incorporate  a  combination  of  these  technologies. 
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Figure  2  -  Traditional  Host-based  ID  System  vs.  OSI  Model  [From  Ref  3] 
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Figure  3  -  Network  ID  System  vs.  OSI  Model  [From  Ref  3] 


D.  ID  SYSTEM  METHODOLOGY 

There  are  generally  two  intrusion  detection  models: 

1.  The  Signature  based  detection  model  monitors  system  traffic  for  known 
attack  signatures.  The  ID  system  evaluates  packets  to  see  if  they  correspond  to  a  known 
intrusion  pattern.  Most  successful  intrusion  detection  systems  rely  on  the  signature 
detection  model.  Attacks,  like  viruses,  are  always  changing,  so  the  success  of  this  model 
relies  on  maintaining  a  current  signature  library. 

2.  The  Anomaly  based  detection  model  looks  for  trends  that  deviate  from  a 
system’s  normal  usage  pattern  or  deviations  from  a  user’s  normal  behavior.  The 
anomalies  are  detected  by  building  up  a  profile  of  the  system  being  monitored,  and 
detecting  significant  deviations  from  this  profile.  Although  the  anomaly  detection  model 
doesn’t  rely  on  an  up  to  date  signature  database,  it  is  more  difficult  to  engineer  than  the 
signature  based  model  and  is  seldom  utilized  in  the  industry.  The  theory  behind  anomaly 
detection  is  based  on  metrics  that  are  derived  from  system  operations.  These  metrics  are 
computed  from  available  system  parameters  such  as  average  CPU  load,  number  of 
network  connections  per  minute,  number  of  processes  per  user,  etc.  ID  systems  that 
utilize  the  anomaly  model  often  look  for  inconsistencies  in  the  Operating  System  audit 
trails.  Audit  trail  data  forms  a  footprint  of  system  usage  over  time  and  establishes  a 
baseline.  From  these  observations,  the  ID  system  can  analyze  system  metrics  to  detect  a 
possible  intrusion.  An  anomaly  may  be  a  symptom  of  a  possible  intrusion,  but  it  can  also 
be  a  change  in  an  authorized  user’s  activity.  Anomaly  detection  is  more  challenging  than 
misuse  detection  since  one  caimot  simply  monitor  for  any  known  malicious  patterns  or 
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signatures,  thus  it  requires  a  more  flexible  approach  which  is  far  more  complicated  to 
develop. 

An  ID  system  may  also  performs  its  own  system  monitoring  and  anomaly 
detection.  It  may  keep  aggregate  statistics  that  provide  a  system  usage  profile.  These 
statistics  can  be  derived  from  a  variety  of  sources  such  as  CPU  usage,  disk  I/O,  memory 
usage,  activities  by  users,  number  of  attempted  logins,  etc.  These  statistics  must  be 
continually  updated  to  reflect  the  current  state  of  the  system.  The  statistics  are  correlated 
with  an  internal  model  that  allows  the  ID  system  to  determine  if  a  series  of  actions 
constitute  a  potential  intrusion.  This  model  may  describe  a  set  of  intrusion  scenarios  or 
possibly  encode  the  profile  of  a  clean  system. 

E.  EVALUATING  ID  SYSTEMS 

Personal  host-based  ID  systems  need  to  enforce  particular  security 
pohcies.  They  should  have  the  ability  to  identify  and  block  known  port  scans, 

Trojans  and  Denial  of  Service  attacks,  as  well  as  protect  against  new  or  unknown 
attacks  by  blocking  applications  and  traffic  that  violate  a  defined  profile’s  security 
rules.  These  rule-based  security  policies  should  include  any  combination  of  the 
following: 

•  Application  -  allowing  each  application  access  privileges  to  only  certain 
required  IP  addresses,  ports,  or  protocols 

•  Trusted  IP  Addresses  -  allowing  access  privileges  to  specific  IP  addresses 

•  Ports  -  allowing  access  privileges  to  specific  ports 

•  Protocols  -  allowing  access  privileges  to  specific  protocols 


10 


•  Schedule  -  allowing  automatic  implementation  of  different  security  policies  at 
different  times. 

Intrusion  detection  monitoring  and  reporting  is  not  full  proof  and  error  free.  It  is 
important  to  identify  and  minimize  potentially  misleading  error  reports.  These  errors  can 
be  categorized  as  either  false  positive,  false  negative  or  subversion  errors.  A  false 
positive  occurs  when  the  system  classifies  an  action  as  anomalous  (a  possible  intrusion) 
when  it  is  a  legitimate  action.  These  reports  will  normally  be  ignored  since  they  are 
legitimate  actions  simply  classified  as  intrusions.  If  too  many  false  positives  are 
generated,  the  operators  will  come  to  ignore  the  output  of  the  system,  which  may  lead  to 
actual  intrusions  being  detected  but  ignored  over  time.  A  false  negative  occurs  when  an 
actual  intrusive  action  has  occurred  but  the  system  allows  it  to  pass  as  a  non-intrusive 
behavior.  False  negative  errors  are  more  serious  than  false  positive  errors  because  they 
give  a  misleading  sense  of  security.  By  allowing  all  actions  to  proceed,  a  suspicious 
action  will  not  be  brought  to  the  attention  of  the  operator.  The  intrusion  detection  system 
is  now  a  liability  as  the  security  of  the  system  is  less  than  it  was  before  the  ID  system  was 
installed.  An  effective  ID  system  will  minimize  these  false  alarms  and  missed  attacks, 
while  maximizing  valid  detections  through  proper  configuration  and  monitoring, 
maintaining  updated  software  patches  and  signature  databases,  and  effective  training  of 
risers  and  administrators. 

Additionally,  ID  systems  can  be  susceptible  to  subversion.  A  subversion  error 
occurs  when  an  intruder  modifies  the  operation  of  the  intrusion  detector  to  force  false 
negatives.  An  intruder  could  use  knowledge  about  the  internals  of  an  intrusion  detection 
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system  to  alter  its  operation,  possibly  allowing  anomalous  behavior  to  proceed.  A  human 
operator  examining  logs  may  discover  this,  but  the  intrusion  detection  system  would 
appear  to  be  working  correctly.  This  is  sometimes  done  by  slowly  altering  the  system’s 
footprint  or  metrics  over  time.  An  intruder  slowly  introduces  anomalies  into  the  system 
to  permit  the  ID  system  to  allow  greater  anomalies,  tmtil  it  is  safe  for  the  intruder  to 
launch  an  imdetected  attack. 

A  good  ID  system  should  address  certain  basic  issues,  regardless  of  what 
mechanism  it  is  based  on.  It  ought  to: 

•  Run  continually 

•  Be  fault  tolerant 

•  Resist  subversion 

•  Operate  wdth  minimal  overhead 

•  Be  easily  tailored  to  observe  deviations  and  changes  in  system  behavior 

•  Be  difficult  to  fool 

•  Be  able  to  back  trace  and  identify  the  source  of  intrusion  attempts 

It  is  difficult  to  identify  and  evaluate  the  processes,  procedures,  tools,  software, 
hardware,  and  databases  that  comprise  the  full  range  of  intrusion  detection  technologies. 
Since  the  technology  is  continually  evolving,  the  methods  and  processes  of  ID  systems 
continue  to  develop  and  change.  The  process  for  evaluating  an  ID  system  requires  setting 
up  a  network,  controlling  the  operating  environment,  generating  traffic  samples, 
determining  the  reqtiired  supporting  data,  and  evaluating  the  results.  Implementing 
intrusion  detection  systems  on  networks  and  hosts  requires  a  broad  tmderstanding  of 
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computer  security.  The  complexity  of  information  technology  infiastructures  is 
increasing  so  quickly  that  is  has  become  nearly  impossible  for  any  one  person  to  fully 
understand,  let  alone  administer,  systems  in  a  way  that  is  operationally  secure.  Vendors 
are  rapidly  releasing  new  E)  systems  and  aggressively  competing  for  market  share  in  the 
ever-expanding  market.  Many  products  started  out  as  point  solutions,  but  in  response  to 
consumers'  inability  to  fully  understand  and  use  them,  many  vendors  are  attempting  to 
integrate  approaches  to  solve  a  broader  range  of  computer  security  problems.  This 
illustrates  the  value  of  establishing  a  baseline  for  reviewing  ID  systems  in  order  to 
determine  their  usefulness  on  government  systems.  Given  the  complexity  of  the  problem 
outlined  above,  this  thesis  will  focus  on  analyzing  the  current  vulnerabilities  inherent  to 
Windows  2000  Server  and  demonstrating  how  off-the-shelf  products  like  ZoneAlarm, 
BlackICE  and  Sygate  Personal  Firewall  can  improve  the  security  of  government  systems. 
Reconunendations  will  be  made  for  follow-on  tests  that  would  help  further  understand 
the  benefits,  utilities  and  operations  of  ID  systems. 

The  diagram  on  the  following  page  (Figure  4)  illustrates  how  a  typical 
network-based  intrusion  detection  system  works.  The  picture  shows  the  flow  of 
an  attack  being  launched,  the  ID  system  sniffing  the  packets,  comparing  the 
packets  to  the  database  of  known  attacks,  reacting  to  the  attack,  blocking 
dangerous  traffic,  and  alerting  the  system  operator/administrator  to  the  attack. 
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Figure  4  -  Network-based  ID  System  Operation  [From  Ref  4] 
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II.  PROBLEM  PROPOSAL 


It  doesn't  take  long  to  figure  out  the  security  problem  with  these  port 
technologies:  If  a  port  lets  data  flow  out,  it  also  lets  data  flow  in.  A  port  is 
essentially  an  opening  into  your  computer,  and  it  can  be  hacked.  Someone 
can  infect  your  machine  with  a  Trojan  horse  in  this  way,  and  that's  only 
one  of  a  host  of  distressing  possibilities.  If  you  open  your  computer  to  the 
outside  world,  you're  vulnerable  to  attack  --  period. 

Randall,  Neil,  “Freeware  Port  Scaimers:  Plug  the  Holes”,  PC  Magazine, 

URL: 

http://www.zdnet.com/products/stories/reviews/0,4161,2651662,00.html 
(16  November  2000). 

A.  INTRODUCTION  TO  ID  SYSTEM  PROBLEM 

Many  networks  administrators  do  not  realize  the  value  of  employing  host-based 
and  network-based  ID  systems  simultaneously.  Host-based  ID  systems  could  be  used  to 
assist  network-based  ID  systems  in  protecting  client  stations  inside  the  firewall  as  well  as 
providing  a  much  needed  layer  of  protection  for  the  vital  servers  that  lie  outside  the 
network  firewall  -  DNS,  mail,  and  web.  In  making  these  servers  available  to  the  outside 
world,  they  are  vulnerable  to  attacks.  Host-based  ID  systems  could  provide  protection 
from  this  security  risk. 

Recent  research  conducted  at  the  NPS  illustrates  the  vulnerability  of  systems 

located  outside  the  network  firewall.  Data  collected  and  analyzed  in  the  NPS  RIDLR  lab 

demonstrated  how  often  xmprotected  servers  were  penetrated  for  exploitation. 

A  Honeypot  is  a  set  of  systems  that  simulates  a  real  network.  The 
Honeypot  is  used  to  observe  accesses  and  attempted  accesses.  This 
provides  advanced  warning  of  a  more  concerted  attack.  [Ref  5] 
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The  Honeypot,  in  a  sense,  provides  the  ability  to  ‘get  into  the  head’  of  the 
attacker:  analogous  to  preparing  for  a  game  by  watching  films  of  the  rival  team.  The 
results  of  Honeypots  has  proved  not  only  beneficial  in  identifying  patterns  and  methods  of 
attack  but  also  in  identifying  the  need  for  a  capable  host-based  intrusion  detection  system. 
These  results  endorse  the  need  for  research,  testing  and  evaluation  of  commercial 
intrusion  detection  systems. 

To  develop  a  defense-in-depth  approach  requires  an  understanding  of  the 
strengths  and  weaknesses  of  commercial  intrusion  detection  systems.  There  are  a  vast 
number  of  commercial  E)  system  products  available  on  the  market  today.  The  evaluation 
of  all  these  products  is  impractical,  so  a  small  sampling  will  be  taken  and  a  test  site 
configured.  Host-based  ID  systems  are  one  possible  step  toward  enhancing  the  protection 
of  servers  located  outside  the  firewall  and  unproving  security  on  client  computers  within 
the  firewall.  This  thesis  will  compare  three  host-based  ID  systems  installed  on  a 
Windows  2000  Server  and  present  the  strengths  and  weaknesses  of  each.  Consideration 
will  also  be  given  to  the  benefit  of  installing  host-based  ID  systems  on  the  client 
machines  within  a  network. 

The  principle  reason  for  system  security  is  to  protect  systems  fi-om  the  numerous 
vulnerabilities  inherent  to  computers  networks.  These  vulnerabilities  are  predominantly; 

•  Software  bugs 

•  System  configiu*ation 

•  Password  cracking 

•  Sniffing  unsecured  traffic  and 

•  Design  flaws. 
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Attackers  will  attempt  to  exploit  any  and  every  available  weakness  in  a  system. 
The  Internet  contains  a  plethora  of  information  regarding  software  design  flaws  and 
hacking  tools  that  render  a  system  vulnerable.  The  availability  of  this  information  makes 
it  difficult  to  continually  patch  every  hole  in  a  network  to  prevent  exploitation. 

The  attacker’s  methodology  begins  with  scanning  a  range  of  network  IP 
addresses  to  determine  which  individual  systems  are  alive  and  what  services  are 
available.  Enumeration  is  then  done  to  identify  valid  user  accounts  or  poorly  protected 
resource  shares.  Finally,  the  attacker  uses  escalation  to  increase  permission  to  gain 
access  to  vital  information  and  services. 

This  thesis  will  focus  on  the  first  step  of  this  process.  Port  Scanning  is  one  of  the 
most  popular  reconnaissance  techniques  attackers  use  to  discover  services  they  can  break 
into.  All  machines  connected  to  a  LAN  or  connected  to  the  Internet  via  a  modem  run 
various  services  that  listen  to  ports,  both  well-known  and  some  not  so  well-known.  Port 
scanning  allows  the  attacker  to  find  which  ports  are  available,  being  listened  to  by  a 
service,  on  the  computer.  Ports  provide  access  to  services  and  services  provide  access  to 
applications  and  data  which  can  lead  to  exploits.  Essentially,  a  port  scan  consists  of 
sending  a  message  to  each  port,  one  at  a  time.  The  kind  of  response  received  indicates 
whether  the  port  is  available  and  can  therefore  be  probed  further  for  weakness.  A  TCP/IP 
port  is  a  logical  communication  portal  by  which  information  can  flow.  All  Internet 
protocols  communicate  via  ports,  and  specific  information  is  normally  designated  to  use  a 
specific  port.  Examples  of  well  known  ports  are  listed  below: 
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• 

Echo 

7/tcp 

Echo 

• 

FTP-Dta 

20/udp 

File  Transfer  [Default  Data] 

• 

FTP 

21/tcp 

File  Transfer  [Control] 

• 

SSH 

22/tcp 

SSH  Remote  Login  Protocol 

• 

Telnet 

23/tcp 

Telnet 

• 

SMTP 

25/tcp 

E-mail 

• 

Domain 

53/udp 

Domain  Name  Server 

• 

WWW/HTTP 

80/tcp 

World  Wide  Web/HTTP 

The  simplest  port  scan  attempts  to  send  a  carefully  constructed  packet  to  each 

possible  port,  0-65535,  on  the  target  system  to  see  which  ports  are  open.  Using  a  system 
call  such  as  connectO  the  port  scan  utility  attempts  to  open  a  connection  to  every 
interesting  port  on  the  machine.  If  the  port  is  listening,  connectQ  will  succeed,  otherwise 
the  port  is  not  reachable.  Once  an  open  door  is  identified,  the  hacker  has  achieved  the 
first  objective  towards  exploiting  a  target  computer.  This  fact  makes  it  imperative  to 
have  a  reliable  and  effective  intrusion  detection  system.  Port  scanning  will  be  the  initial 
test  conducted  in  the  lab  on  our  test  server. 
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ni.  TEST  BED  SETUP  AND  CONFIGURATION 


A.  EQUIPMENT 

The  equipment  required  to  conduct  the  tests  includes:  three  desktop  computers  - 
one  to  act  as  the  network  server,  one  to  execute  the  attack  and  one  for  connectivity  to 
the  Internet  for  research  and  resources;  one  hub  to  enable  coimectivity  between  the 
network  computer  and  the  attack  computer;  one  copy  of  Windows  2000  Server;  one 
copy  of  Windows  2000  Professional;  one  copy  of  SuperScan  and  LanGuard  port 
scanning  programs;  and  licensed  copies  of  ZoneAlarm,  HlackICH  and  Sygate 
intrusion  detection  systems.  All  hardware  and  software  were  checked  to  ensure  they 
were  compatible  and  the  minimum  system  requirements  were  met. 

The  following  illustration  (Figure  5)  depicts  the  lab  configuration. 
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Win  2000  Professional 


Figure  5 -Lab  Configuration 


The  network  server  installation  included: 

•  Windows  2000  Server  installed  with  the  following  specifications: 

•  Enabled  as  a  Domain  Controller 

•  Active  Users  and  Directories  enabled 

•  TELNET  disabled  (by  default) 

•  ff  security  was  disabled  by  default  (no  specific  port  restrictions) 

•  Microsoft  Office  2000 

•  User  accounts  were  created  and  share  folders  designated 

•  IP  address  192. 168. 100.40  was  configured 

•  Additionally,  no  specific  security  measures  were  implemented  and  the  system 
was  run  for  a  period  of  time  to  ensure  that  it  was  functioning  properly.  No 
intmsion  detection  system  was  installed  for  the  baseline  tests. 

The  attack  computer  configuration  included: 

•  Windows  98  and  Windows  2000  Professional  in  a  dual  boot  configuration 
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•  IP  address  was  configured  to  192.168.100.80 

•  SuperScan  3.0,  LanGuard  software  installed 

To  evaluate  the  integrity  of  the  network  server,  a  series  of  attacks  were  run  to 
interrogate  the  overall  security  of  the  Windows  2000  Server  machine.  To  simulate  the 
first  step  in  a  typical  attack,  the  attack  computer  used  commercial  scanning  software 
available  for  free  off  the  Internet. 

The  primary  test  program  used  was  SuperScan  3.0.  SuperScan  is  a  coimection- 
based  TCP  port  scanner,  pinger  and  hostname  resolver.  This  program  performs  ping 
scans  and  port  scans  using  any  IP  range.  In  addition  it  will  resolve  and  reverse-lookup 
any  IP  address  or  range.  A  second  series  of  scans  were  run  to  validate  the  SuperScan  test 
results  using  LanGuard.  LanGuard  port  scanner  is  a  freeware  tool  that  allows  you  to  scan 
a  network  for  active  ports  and  identify  unused  applications  such  as  web  servers  that  could 
be  a  secmity  hole. 

Resident  programs  and  commands  within  the  Microsoft  Operating  System  such  as 
FTP  and  ping  were  used  to  fiulher  verify  the  level  of  security  provided  by  the  ID  system. 
Connection  attempts  were  made  to  determine  if  the  ID  system  was  actually  protecting 
ports  or  simply  making  them  invisible  to  scans. 

The  tests  were  conducted  and  information  collected  and  compared  against  four 
system  configurations: 

•  A  Windows  2000  Server  with  no  ID  system 

•  A  Windows  2000  Server  protected  by  ZoneAlarm 

•  A  Windows  2000  Server  protected  by  BlackICE 
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•  A  Windows  2000  Server  protected  by  Sygate 

Additionally,  various  security  levels  or  configurations  of  each  intrusion  detection 
system  was  tested  and  evaluated.  The  results  were  analyzed  to  determine  the  overall 
strengths  and  weaknesses  of  each  ID  system.  Snap  shots  of  the  program  windows  fi'om 
the  attack  computer  and  the  host  server  are  included  to  help  illustrate  the  findings  and 
facilitate  the  comparison. 


B.  INTRUSION  DETECTION  SYSTEMS 


1.  Zone  Alarm 

ZoneAlarm  is  one  the  most  widely  disseminated  ID  system  programs.  Its 

popularity  is  primarily  due  to  the  fact  that  the  software  is  available  at  no  cost  for  personal 

use.  This  fact  and  the  positive  reviews  of  the  program  supported  the  selection  of 

ZoneAlarm  as  one  of  the  ID  systems  tested. 

ZoneAlarm  combines  the  safety  of  a  dynamic  firewall  with  total 
control  over  applications’  Internet  use.  ZoneAlarm  gives  rock- 
solid  protection  against  thieves  and  vandals.  ZoneAlarm  now 
features  MailSafe  to  stop  email-bome  Visual  Basic  Script  worms, 
like  the  “I  Love  You”  Virus,  “dead-in-its-tracks”,  thwarting  its 
spread,  and  preventing  it  fi’om  wreaking  havoc  on  your  PC. 

ZoneAlarm  makes  ironclad  Internet  security  easy-to-use.  [Ref  6] 

The  ZoneAlarm  program  is  based  on  TrueVector  technology.  TrueVector  is 
basically  a  software  engine  made  by  Zone  Labs  that  runs  on  the  operating  system  (Win32) 
to  rqjort  Internet  connection  activity  to  client  applications.  TrueVector  performs  all 
monitoring,  logging  and  filtering  work,  and  is  responsible  for  intercepting  process- 
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loading  and  unloading.  It  keeps  a  list  of  currently  active  processes,  and  intercepts  certain 
keyboard,  mouse  and  other  user  activities  in  order  to  determine  the  active  application. 
TrueVector  can  check  for  various  characteristics  including  executable  name,  version 
numbers,  executable  file  checksums,  version  headers,  and  configuration  settings. 

ZoneAlarm  with  TrueVector  is  designed  to: 

•  Give  notification  when  applications  are  accessing  the  Internet 

•  See  the  type  of  access:  URL,  site,  IP  address,  port  address 

•  See  the  protocol  being  used 

•  See  the  type  of  data  being  sent  or  used 

•  Determine  the  time  and  the  date  of  data  requests 

•  Control  bandwidth  consumed  per  application 

ZoneAlarm  has  security-level  controls  for  both  local  (trusted)  communications 
and  external  Internet  coimections.  Each  category  has  three  choices  -  low,  medium  and 
high.  The  user  can  select  six  different  security  configurations  (L/L,  L/M,  M/M,  L/H, 
M/H,  H/H). 

Table  1  below  describes  each  security  setting: 
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SETTING 

LOCAL 

INTERNET 

fflGH 

•  Enforces  application  privileges. 

•  Internet  Lock  blocks  all  traffic. 

•  Hides  all  ports  not  in  use  by  a 
program  (sometimes  called 

Stealth  Mode) 

•  Blocks  local  access  to  Windows 
services  and  shares 

•  Enforces  application  privileges. 

•  Internet  Lock  blocks  all  traffic. 

•  Hides  all  ports  not  in  use  by  a 
program  (sometimes  called 

Stealth  Mode) 

•  Blocks  Internet  access  to  file  and 
print  sharing. 

MEDIUM 

•  Enforces  application  privileges. 

•  Internet  Lock  blocks  all  traffic. 

•  Allows  access  to  Windows 
services  and  shares. 

•  Leaves  your  computer  and  server 
applications  visible  to  the  local 
network. 

•  Enforces  application  privileges. 

•  Internet  Lock  blocks  all  traffic. 

•  Blocks  Internet  access  to  file  and 
print  sharing. 

•  Leaves  computer  visible  to  the 
Internet 

LOW 

•  Enforces  application  privileges 

•  Internet  Lock  blocks  only 
application  traffic. 

•  Allows  access  to  Windows 
services  and  shares. 

•  Leaves  your  computer  and  server 
applications  visible  to  the  local 
network. 

•  Enforces  application  privileges 

•  Internet  Lock  blocks  only 
application  traffic. 

•  Allows  Internet  access  to  file  and 
print  sharing. 

•  Leaves  computer  visible  to  the 
Internet 
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Snapshot  #1  illustrates  the  Security  Settings  menu  for  ZoneAlarm: 


(  n^ancedl  ^ 


p  Security  level^ — — - - 

Use  these  sliders  to  choose  security  levels  for  your  local  and  Internet  access. 

Local  Internet 


snoeq^secra. 


9)e  Intern^  or^ 


l-:Btoclb'Jocd 

SteaMibfmde:  firevtial  Mcfes  ^ 


.■ 


High  1  ' 

Recommerwtel  s^ir^ford  ; 
coronations. 

:Slrong^cu%:  V 

-Enfoices  appicatoi  privities, 

-  tnt^et  Lock  blocks  ^  traffic. 

:-  Blodcs  Intend  access  to  : 

iWinctews  seryices  andfile^mter ; 


:  •  Ste^  niode:  firewal  Hd£»  all: 
'ports  not «  use  b|j»  a  program.  ; 


□  Block  local  ser^rs 


n  Block  Interrrol  servers 


r  MailSafe  e-mail  protection - - 

I3§  Enable  MailSafe  protection  to  quarantine  e-mail  script  attachments 


□ck  here  to  upgrade  to  ZoneAlarm  Pro. 


Snapshot  1  -  ZoneAlarm  Security  Settings 


The  tests  conducted  only  focused  on  the  Internet  security  settings.  Additional 
features  of  ZoneAlarm  included  pop-up  windows  alerting  the  user  of  possible  intrusions 
and  a  log  file  of  all  activity  on  the  computer  it  is  monitoring,  hi  medium  and  high 
security  mode  ZoneAlarm  blocks  all  traffic  until  the  user  grants  pemussion. 
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2. 


BlackICE 


BlackICE  was  developed  by  Network  Ice  Corporation  and  claims  to  be  a  full- 
featured  personal  firewall. 

BlackICE  works  continually  to  defend  servers  and  workstations  Jfrom  over 
200  hacker  signatures  including  the  Melissa  Worm,  “Slow  Scans”  and 
"Back  Orifice."  Even  if  hackers  bypass  firewalls  or  intrusion  defenses, 
BlackICE  bars  entry  at  the  desktop  and  server.  [Ref  7] 

BlackICE  has  four  security  levels  as  described  in  the  Table  2  below: 


SECURITY  LEVEL 

DESCRIPTION 

PARANOID 

Blocks  all  unsolicited  inbound  traffic.  May  restrict  some  web 
browsing  and  interactive  content 

NERVOUS 

Blocks  all  unsolicited  inbound  traffic  except  for  some  interactive 
web  site  content,  (such  as  streaming  media) 

CAUTIOUS 

Only  blocks  unsolicited  network  traffic  that  accesses  operating 
system  and  networking  services 

TRUSTING 

All  ports  remain  open  and  unblocked,  and  therefore  allows  all 
inboimd  traffic 

In  addition  to  the  security  levels,  BlackICE  has  3  protection  tabs  to  further  define 
the  program  configuration: 

•  ENABLE  AUTO  BLOCKING  -  This  feature  automatically  blocks  all 
attempts  to  break  into  a  S3^tem.  If  unchecked,  an  attack  will  still  be 
reported  and  logged,  but  not  automatically  blocked. 

•  ALLOW  INTERNET  FILE  SHARING  -  When  enabled,  an  external 
connection  can  be  made  to  a  computer  over  the  Internet  to  upload  or 
download  files.  If  unchecked  it  prevents  systems  fi-om  connecting  to  the 
computer  and  accessing  the  shares. 

•  ALLOW  NETBIOS  NEIGHBORHOOD  -  When  enabled  the  host 
computer  will  appear  in  the  Network  Neighborhood  of  other  computers, 
and  the  host  name  is  resolved  on  scans. 


26 


Snapshot  #2  illustrates  the  security  settings  menu  for  BlackICE  Defender: 


Snapshot  2  -  BlackICE  Settings  Menu 


BlackICE  Defender  is  composed  of  a  detection  and  analysis  engine  that 
constantly  monitors  the  inboimd  and  outbound  traffic  between  your  computer  and 
the  Internet  or  other  computers  on  a  network.  The  core  of  the  BlackICE  product  is 
the  patent-pending  seven-layer  decoding  engine.  This  engine  analyzes  incoming 
and  outgoing  network  traffic  in  real-time  for  intrusions.  Unlike  most  modem 
intrusion  detection  systems,  which  use  "pattern  matching"  technologies,  BlackICE 
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uses  sophisticated  protocol  analysis  algorithms.  Protocol  analysis  examines  the 
structure  and  composition  of  network  communications.  BlackICE  considers  this  a 
more  efficient  way  to  detect  and  identify  attacks  while  allowing  it  to  detect 
sophisticated  intrusions  that  pattern  matching  software  cannot  catch. 

3.  Sygate 

Sygate  Technologies  has  recently  entered  the  host-based  intmsion  detection 
market  with  Sygate  Personal  Firewall  4.0.  According  to  Sygate’s  website  their  product  is: 

Sygate  is  more  than  an  advanced,  user-fiiendly  personal  firewall  -  it  is  a 

bi-directional  intrusion  detection  system.  [Ref  8] 

Sygate’s  serves  as  a  firewall  by  controlling  access  to  communications  ports  and 
monitoring  port-scanning  activity.  As  an  intrusion  defense  agent,  Sygate  hopes  to  allow 
only  trusted  communications  and  considers  any  other  network  activity  as  malicious. 

Using  a  guilty  until  proven  innocent  approach,  Sygate  claims  to  preserve  system 
resources  by  maintaining  a  60,000-signature  library  of  known  attacks,  but  only  uses  it  for 
reporting  purposes.  This  rules-based  approach  is  less  memory  intensive  but  requires 
more  user  interaction. 


Sygate  has  three  security  level  configurations  as  described  in  Table  3  below: 


SECURITY  LEVEL  DESCRIPTION 

BLOCK  ALL 

Prevents  all  information  entering  or  leaving  your  computer  fi'om 
any  outside  source. 

NORMAL 

Automatically  blocks  any  access  from  your  computer  until  the 
user  grants  access.  Allows  user  to  alter  the  “status”  of  different 
applications. 

ALLOW  ALL 

Permits  the  transmission  of  all  network  traffic  to  and  from  your 
computer.  Still  logs  all  traffic 
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Sygate  Personal  Firewall  4.0  provides  users  with  performance  enhancing  features 
including: 

•  Dynamic  Interface  Support  -  Allows  users  to  configure  separate  security 
poUcies  for  each  network  interface  card  directly  from  the  user  interface 

•  Application  Learning  Mode  -  Enables  Sygate  Personal  Firewall  to 
remember  which  applications  have  been  allowed  or  blocked  by  the  user 

•  Application  Authentication  -  Uses  MD5  cryptographic  signatures  to  check 
application  attributes  such  as  checksum,  path  and  file  name,  warning  users  to 
applications  compromised  by  a  hacker  or  Trojan 

•  Dynamic  Port  Blocking  -  Automatically  blocks  ports  when  applications  that 
otherwise  use  them  are  idle,  reducing  exposure  to  attack 

•  High  Performance  Security  -  Ensures  top-notch  security  while  minimizing 
impact  to  system  performance 

Sygate  Personal  Firewall  provides  pop-up  window  notification  of  any  new  or 
modified  applications,  detected  attacks  or  user-specified  events,  and  has  a  box  to  check  to 
remember  these  notification  responses  to  eliminate  redimdancy.  The  illustrations  below 
(Snapshots  3  and  4)  are  examples  of  the  user  interface  notification  provided  by  Sygate. 
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Snapshot  3 


Sygate  notifies  the  user  when  a 
program  is  attenpting  to  connect  and 
provides  helpful  details  regarding  the 
application. 


Sygate  Alert  Window 
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Snapshot  4  -  Sygate  Security  Log 


C.  DATA  COLLECTION  PROCESS 

A  series  of  standard  attack  methods  was  launched  against  the  Windows  2000 
Server  computer  simulating  a  network  server  located  outside  a  firewall.  All  activity  on 
both  the  attack  and  network  computers  were  monitored  and  snapshots  of  the  resulting 
data  copied.  The  evaluation  was  conducted  against  the  following  configurations: 

•  Windows  2000  Server  with  no  ID  system. 

•  Windows  2000  Server  with  ZoneAlarm  2.6  installed. 

•  Windows  2000  Server  with  BlackICE  2.5  installed. 


Windows  2000  Server  with  Sygate  Personal  Firewall  4.0  Build  671  installed. 


The  same  set  of  exploits  will  be  conducted  against  each  of  the  four  system 
configurations  and  the  resulting  data  will  be  evaluated  to  determine  the  effectiveness  of 
each  ID  system  at  securing  the  network  server  fi-om  exploitation.  Consideration  will  be 
given,  not  only  to  stopping  attacks,  but  also  to  how  well  the  ID  system  alerts  the  user  and 
system  administrator  to  the  real-time  existence  of  attacks. 

The  evaluation  criteria  key  elements  will  include: 

•  Effectiveness  of  intrasion  detection 

•  Effectiveness  of  security  protection 

•  Effectiveness  of  reaction 

•  User  interface 

The  questions  considered  will  include: 

•  What  is  the  benefit  of  a  host-based  ID  system  to  overall  network  security 

•  How  effective  is  a  host-based  ID  system 

•  Are  host-based  ID  systems  a  possible  solution  to  a  defense  in-depth  posture 
for  networks 

•  How  easy  is  an  ID  system  to  implement  and  use,  is  it  any  more  difficult  than  a 
virus  scanning  program 

•  Does  the  security  benefits  justify  the  additional  cost  of  implementing  host- 
based  ID  systems 

•  What  follow-on  testing  should  be  conducted 

•  Should  a  standard  test  platform  be  developed  for  commercial  ID  systems 
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The  above  criteria  and  questions  will  be  used  during  the  process  of  the  evaluation 
and  to  determine  the  effectiveness  of  adding  host-based  intrusion  detection  systems  to 
network  servers  outside  the  firewall  as  well  as  client  stations  within  the  firewall. 
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IV.  TEST  DATA  RESULTS  AND  EVALUATION 


A.  INTRODUCTION 

The  tests  conducted  emulate  the  first  step  in  the  intrusion  process,  port  scanning. 
Most  attackers  only  focus  on  the  available  ports  detected  through  the  use  of  a  scanning 
tool.  To  properly  identify  how  each  of  the  ID  systems  performs  in  each  of  the  key  criteria 
elements,  we  evaluated  the  results  of  each  system  against  an  identical  port  scan  using 
SuperScan  3.0.  LandGuard  port  scanner  was  also  used  to  validate  the  SuperScan  results. 
An  FTP  connection  was  attempted  to  TCP  port  21  in  an  effort  to  determine  whether  the 
ID  systems  masked  the  opened  ports  or  actually  blocked  the  available  ports.  The  ping 
command  was  used  to  verify  the  ID  systems  were  actually  hiding  the  IP  address  from 
scanners.  Snapshots  from  the  attacking  computer  and  the  server  will  highlight  the 
effectiveness  of  each  ID  S5^tem  and  indicate  the  array  of  features  each  ID  sj^tem  offers. 

1.  NO  ID  SYSTEM  INSTALLED 

The  initial  test  consisted  of  a  port  scan  utility  run  against  Windows  2000  Server 
with  no  ID  system.  The  scan  was  conducted  using  SuperScan  against  ports  0-65,535. 
The  results  of  this  scan  indicated  21  ports  located  on  the  host  server  (NPS- 
TESTSERVER)  were  available  as  seen  in  Snapshot  5  below. 
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Snapshot  5  -  SuperScan  vs.  Wm2K  Server  with  no  ID  system 
The  results  of  this  scan  indicate  that  quite  a  large  amount  of  information  regarding 
the  network  server:  IP  address,  host  name,  available  port  numbers,  and  services  available 
on  those  ports. 


The  following  ports  and  services  were  available  with  no  ID  s>^tem  installed.  This 
list  represents  the  default  ports  Windows  2000  Server  makes  available  in  order  to  perform 
routine  tasks.  The  available  ports  can  be  modified  depending  on  the  requirements  of  the 
server  and  will  be  discussed  in  greater  detail  in  chapter  foiu*. 
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A  brief  description  of  the  port  identified  and  any  known  Trojans  used  against 
these  port  is  listed  below: 

7  Echo  -  Echoes  back  every  line  of  text  typed  at  it. 

9  Discard  (sink  null)  -  Everything  sent  to  this  server  should  silently 

disappear. 

13  Daytime  -  The  server  returns  a  packet  in  ASCII  character  string  containing 
the  date  in  readable  form. 

1 7  Quote  of  the  Day  -  Sends  a  "Quote  of  the  Day"  regardless  of  input. 

19  Character  Generator  (ttytst  source)  -  Server  spits  characters  in  an  endless 

stream. 

21  File  Transfer  [Control]  -  Allow  transfer  of  files  firom  one  computer  to 
another.  It  uses  two  channels,  one  a  control  channel  ftp/tcp  and  the  other  a 
data  channel  ftp-data/tcp.  The  DarkFTP  Trojan  also  uses  this  port. 

25  Simple  Mail  Transfer/*  -  De  facto  email  standard  for  the  internet.  Also 
used  by  following  Trojan  horses:  Ajan,  Antigen,  Email  Password  Sender, 
Haebu  Coceda,  Happy  99,  Kuang2,  NewApt,  Promail  Trojan,  Shtrilitz 
Stealth,  Tapiras,  Terminator,  WinPC,  WinSpy. 

42  Host  Name  Server  -  This  is  the  old  DNS.  Replaced  by  the  domain 
protocol.  Microsoft's  WINS  may  also  support  directory  replication  at  this 
port. 

53  Domain  Name  Server. 

80  World  Wide  Web  HTTP/*  -  Known  Trojan  horses:  Executor,  Hooker,  and 
RingZero. 

88  Kerberos  -  hnplements  a  trusted  third-party  authentication  protocol. 

119  Network  News  Transfer  Protocol/*  -  imtp=provides  a  client-server  news 
feed  protocol  to  allow  clients  to  read  "news".  Happy  99  Trojan  uses  this 
port. 

135  Microsoft  DCE  endpoint  resolution/Location  Service. 
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139  NETBIOS  Session  Service  -  "File  and  Printer  Sharing"  on  a  Windows 
machine  uses  this  port  extensively,  which  is  frequently  an  exploitable 
security  hole. 

389  Lightweight  Directory  Access  Protocol  -  Allows  access  via  TCP  to  an 
X.500  directory.  Used  by  NetMeeting  -  Internet  Locator  Server  (ILS) 
using  LDAP. 

443  http  protocol  over  TLS/SSL. 

445  Microsoft-DS  -  It  is  used  by  Windows  2000  for  SMB  over  TCP  and  UDP, 
concurrently  or  alternatively  with  the  traditional  implementation  over  ports 
137,  138  and  139. 

464  Kpasswd. 

563  nntp  protocol  over  TLS/SSL  (was  snntp)  -  Supported  by  MS  Exchange. 

636  Idap  protocol  over  TLS/SSL  (was  sldap)  -  This  is  used  by  NetMeeting. 

1030  BBNIAD. 


Additionally,  we  were  able  to  connect  to  the  server  (Snapshot  6)  using  the  File 
Transfer  Protocol  (FTP).  These  results  indicated  in  Snapshots  5  and  6  highlight  the 
availability  of  information  from  the  network  server  and  the  need  to  have  a  mechanism  in 
place  to  protect  the  security  of  the  server. 
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MS-DOS  Prompt 


fei 


rzp> 
To  1 
Conn 
220 
User 
331 
Pass' 
230 
ftp> 


22. 16S. 100.40 

ected  to  192.163.100.40. 

riDS-testserver  Microsoft  FTP  Service  (Version  5.0) 
(192. 168. 100.40: (none)) :  administrator 
Password  required  for  admini strator. 
word: 

User  adfui ni strator  logged  in. 
pwd 

"/"  is  current  directory, 
di sconnect 


Snapshot  6  -  Attack  computer  connected  to  server  with  FTP 

2.  ID  Systems  Installed 

Each  of  the  three  Intrusion  Detection  Systems  was  separately  installed  on  the  host 
computer.  The  same  ports  scan  and  FTP  connection  tests  were  run  against  all  three  ID 
systems.  All  of  the  various  configurations  of  each  ID  system  were  selected  and  tested. 
To  maiTitain  continuity,  nothing  else  was  altered  on  the  Window  2000  Server  platform. 
The  following  are  the  results  of  the  tests  conducted. 


a.  ZoneAlarm 

ZoneAlarm  was  loaded  and  configured  in  each  of  its  six  possible  security 
setting.  Table  4  below  Weights  the  results  of  the  tests  conducted: 
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SECURITY  SETTING 
LOCAL/INTERNET 

PORT  PROBE 
ALERTS 
REPORTED 

SUPERSCAN 

RESULTS 

FTP 

CONNECT 

LOW/LOW 

0 

21  ports  resolved 

YES 

LOW/MEDIUM 

6 

18  ports  resolved 

YES 

MEDIUM/MEDIUM 

6 

18  ports  resolved 

YES 

LOW/HIGH 

MORE  THAN 
500 

0  ports  resolved 

NO 

MEDIUM/HIGH 

MORE  THAN 
500 

0  ports  resolved 

NO 

HIGH/HIGH 

MORE  THAN 
500 

0  ports  resolved 

NO 

The  only  configurations  in  which  ZoneAlarm  provided  complete 
protection  against  the  port  scan  utility  were  when  the  Internet  security  level  was 
configured  to  HIGH.  The  Internet  security  setting  was  the  only  relevant  factor  due  to  the 
port  scan  test  running  from  an  external  connection.  In  the  Low  and  Medium  hitemet 
configuration  ports  were  still  available  and  an  FTP  connection  was  possible.  The  Internet 
Low  setting  revealed  all  21  available  ports  and  no  alerts  were  generated  in  the  logs.  The 
Internet  Medium  setting  effectively  blocked  access  to  3  ports.  These  3  ports  ^orts  135, 
139  and  445)  all  perform  file  and  print  sharing  services.  The  hitemet  Medium  setting  is 
designed  to  block  Internet  access  to  file  and  print  sharing,  so  the  test  results  validate  the 
claims. 

Snapshot  7  shows  total  protection  fi-om  discovery  when  configured  in 
Internet  High.  The  host  name  was  not  detected  and  no  open  ports  were  revealed.  On  the 
host,  ZoneAlarm  provided  pop-up  alerts  identifying  the  intmsion  attempt,  IP  address  and 
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port  number  of  the  attacking  computer  (Snapshots  8  and  9).  The  built-in  alert  log  tracks 
all  activity  and  stores  it  in  a  text  file. 


Snapshot  7  -  SuperScan  vs.  Win2K  Server  with  ZoneAlarm  Internet  High 
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Snapshot  8  -  ZoneAlarm  Pop-up  message 


Snapshot  9  —  ZoneAlarm  Current  Alert  Message 
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b.  Blackice 

BlackICE  was  installed,  configured  and  tested  in  each  of  its  four  security 
levels.  In  Cautious  mode  BlackICE  blocks  only  unsolicited  traffic  that  accesses  operating 
system  and  network  services;  therefore,  all  but  2  ports  (563  and  636)  that  do  not  access 
these  services  were  blocked.  The  results  are  captured  in  Table  5  below: 


SECURITY 

SETTING 

PORT  PROBE  ALERTS 
REPORTED 

SUPERSCAN 

RESULTS 

FTP 

TRUSTING 

1953 

21  PORTS  RESOLVED 

YES 

CAUTIOUS 

5,200 

2  PORTS  RESOLVED 

NO 

NERVOUS 

11,727 

0  PORTS  RESOLVED 

NO 

PARANOID 

16,000 

0  PORTS  RESOLVED 

NO 

hi  Paranoid  mode,  BlackICE  blocked  all  the  ports  and  concealed  the 
hostname;  however,  the  host  IP  address  was  still  identified  by  SuperScan  as  seen  in 
Snapshot  10. 
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Snapshot  10  -  SuperScan  vs.  Win2K  with  BlackICE  in  Paranoid  Mode 
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Snapshot  1 1  below  shows  the  reporting  mechanism  BlackICE  uses  to  alert 
the  host  computer  of  the  intrusion  attempts.  It  properly  identifies  the  intruder  address, 
date,  time,  attack  type  and  the  number  of  attacks. 


<  >  BiackICE  Defender 


r 


i  "  


06/01/01  1213:45 
®  06/01/01  1212:43 

#  06/01/01  1212:32 

#  06/01/01  1212:32 
{S>  06/01/01  1211:46 

06/01/01  1211:37 


TCP  SYN  flood 
TCP  port  probe 
TCP  port  scan 
TCP  SYN  flood 
TCP  port  scan 
TCP  SYN  flood 


192.168.100.80 

192.168.100.80 

192.168.100.80 

192168.100.80 

192.168.100.80 

192168.100.80 


*  fecanl^tibacker^iai^^  tfer<Wigh|ia»1>r  ports  oh  ,  ^  ^ 


t 


~  v'.\  — 


Snapshot  1 1  -  BlackICE  Attack  Log 


c.  Sygate 

Sygate  Personal  Firewall  was  installed,  configured  and  tested  in  Allow, 


Normal  and  Block  modes.  The  results  of  the  SuperScan  test  are  listed  in  Table  6  below. 


SECURITY 

PORT  PROBE  ALERTS 

SUPERSCAN 

FTP 

LEVEL 

REPORTED 

RESULTS 

CONNECT 

ALLOW  ALL 

0 

21  PORTS  RESOLVED 

YES 

NORMAL 

1300 

0  PORTS  RESOLVED 

NO 

BLOCK  ALL 

0  (Everything  shut  down) 

0  PORTS  RESOLVED 

NO 
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Similar  to  ZoneAlarm  in  its  most  secure  mode,  Sygate  also  blocked  all 


information  in  its  most  secure  mode  as  seen  in  Snapshot  12  below. 


Snapshot  12  -  SuperScan  vs.  Win2000  Server  with  Sygate  Block  All  mode 

Sygate’s  reporting  utilities  were  extensive  as  seen  in  Snapshot  13.  The 
program  blocked  all  access  to  the  host  ports  and  correctly  identified  the  intruder’s  IP 
address  and  port  number. 


Snapshot  13  -  Sygate  Traffic  Log 
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In  addition  to  a  Traffic  Log,  Sygate  offers  a  Packet  Log  (Snapshot  14)  that 


identifies  each  packet  and  its  contents. 


Snapshot  14  -  Sygate  Packet  Log 
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B.  FTP  RESULTS 


FTP  was  used  to  verify  the  ID  systems  were  actually  protecting  ports  and  not 
simply  making  them  invisible  to  scans.  FTP  was  not  able  to  establish  a  connection  with 
any  of  the  ID  systems  in  their  more  secure  modes.  Snapshot  4  below  shows  the  failed 
connection  that  resulted  from  an  FTP  with  the  server  when  an  ID  system  was  installed. 
10060  is  a  FTP  error  message  that  means  a  connection  could  not  be  established.  The  ID 
systems  not  only  hide  all  ports,  but  close  them  down  as  well. 


Snapshot  15  -  FTP  reaction  vs.  Win2K  Server  with  ZoneAlarm,  BlackICE  and  Sygate 
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C.  PING  RESULTS 

The  ping  command  was  used  to  determine  if  the  ID  system  was  hiding  the  host  IP 
address  when  SuperScan  rqjorted  no  active  host  found  as  indicated  by  the  red  “X”  next  to 
the  IP  address  in  the  SuperScan  windows  included  above.  It  was  determined  that  Ping 
did  not  receive  a  response  back  from  the  server  when  the  ID  systems  were  configured 
such  that  the  no  active  host  was  found,  i.e.  ZoneAlarm  in  High  Internet  seciuity  setting 
and  Sygate  in  Normal  and  Block  All  modes. 


;  MS-DOS  Piompl 


11?  12  X  20 


C : \>PI NG  192.163. 100 . 40 

Pinging  192 . 16 S . 100. 40  with  32  bytes  of  data: 

Request  timed  out. 

Request  timed  out. 

Request  timed  out. 
j'Request  timed  out. 

Ping  statistics  for  192.168.100.40: 

Packets:  Sent  =  4,  Received  =  0,  Lost  =  4  (100%  loss') 
Approximate  round  trip  times  in  mi  1 li -seconds : 

Minimum  =  Oms,  Maximum  =  0ms.  Average  =  0ms 


Snapshot  16  -  Ping  Results  against  ID  System  configurations  that  did  not  detect  an  active 
host  IP  address 
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D.  ADDITIONAL  TEST  DATA 


Windows  2000  Server  provides  the  network  administrator  with  the  flexibility  to 
modify  the  available  port  listing.  Test  data  was  collected  to  determine  the  effectiveness 
of  the  TCP/IP  filtering  utility.  Snapshot  17  indicates  that  only  ports  21  and  80  were 
enabled.  Snapshot  18  reveals  that  even  with  no  ID  system  installed  all  ports  were 
successfully  blocked  except  ports  21  and  80.  Subsequently,  tests  were  conducted  with 
each  ID  system  running  to  determine  if  the  ID  system  would  run  more  efficiently  or  still 
report  a  port  scan  of  the  ports  that  were  disabled  using  TCP/IP  filtering.  All  3  ID  systems 
recognized  and  reported  port  scan  alerts  identical  to  the  initial  tests  run  with  all  ports 
open.  There  appeared  to  be  no  benefit  to  the  ID  systems  to  restrict  access  to  any  specific 
ports. 


Snapshot  17  -  Win2K  TCP/IP  Filtering  Menu 
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Snapshot  18  -  SuperScan  vs.  Win2K  with  only  ports  21  &  80  open 


The  TCP/IP  filtering  utility  is  a  helpful  tool  for  knowledgeable  network 
administrator  who  has  a  clear  understanding  of  the  ports  necessary  for  a  server  to  perform 
its  operations.  However,  restricted  port  access  does  not  circumvent  the  need  for  a  quality 
ID  system.  The  ID  system  will  still  generate  valuable  alerts  notifying  the  user  and 
administrator  of  port  scans  and  possible  intrusion  attempts  in  addition  to  providing  the 
ability  to  trace  the  source  of  the  attack.  In  the  absence  of  a  host-based  ID  system,  port 
restrictions  would  be  recommended. 
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E.  SUMMARY  OF  DATA  COLLECTED 

Table  7  below  depicts  the  overall  perfomiance  of  each  ID  system  in  its  various 
configurations.  Explanation  of  table  contents: 

•  Column  one:  name  of  ID  system  installed 

•  Column  two:  configuration  of  ID  system 

•  Column  three:  was  host  IP  address  identified 

•  Column  four:  was  hostname  identified 

•  Column  five:  number  of  open  ports  detected 

•  Column  six:  could  FTP  coimection  be  established 

•  Column  seven:  was  a  ping  response  received 


iDS 

RESOLVE  HOSTNAME 

#  OF  OPEN  PORTS 

FTP  ACCESS 

PING  RETURN 

NONE 

N/A 

YES 

YES 

21 

YES 

YES 

ZONEALARM 

LOW/LOW 

YES 

YES 

21 

YES 

YES 

M 

LOW/MED 

YES 

NO 

18 

YES 

YES 

N 

MED/MED 

YES 

NO 

18 

YES 

YES 

M 

LOW/HIGH 

NO 

NO 

0 

NO 

NO 

M 

MED/HIGH 

NO 

NO 

0 

NO 

NO 

ft 

HIGH/HIGH 

NO 

NO 

0 

NO 

NO 

BLACKICE 

TRUSTING 

YES 

N/A* 

21 

YES 

YES 

n 

CAUTIOUS 

YES 

N/A* 

2 

NO 

YES 

n 

NERVOUS 

YES 

N/A* 

0 

NO 

YES 

ft 

PARANOID 

YES 

N/A* 

0 

NO 

YES 

1*  USER  SPECIFIED.  SEE  BLACKICE  WRITEUP. 

j 

SYGATE 

ALLOW 

YES 

YES 

21 

YES 

YES 

ft 

NORMAL 

NO 

YES 

0 

NO 

NO 

ft 

BLOCK 

NO 

NO 

0 

NO 

NO 
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F.  COMPARISON  OF  ID  SYSTEMS 

The  previous  snapshots  and  tables  help  to  illustrate  that  all  three  Host-based 
Intrusion  Detection  Systems  perform  well  in  preventing  a  port  scan  run  against  a 
Windows  2000  Server  platform.  Properly  configured,  they  also  successfully  prevented  a 
direct  connection  through  FTP  port  21.  Further  analysis  of  these  three  programs  indicates 
that  differences  do  exist. 

One  significant  difference,  not  highlighted  in  the  test  data  since  only  inbound 

< 

traffic  was  reported,  involves  the  ID  systems  ability  to  control  and  restrict  outboimd 
traffic.  ZoneAlarm  and  Sygate  use  a  “rales-based  approach”,  meaning  that  the  user  is 
asked  to  allow  or  disallow  all  outbound  program  connections.  BlackICE  does  not  employ 
this  methodology  and  therefore  lacks  this  feature.  This  is  a  significant  pitfall  for 
BlackICE  because  the  potential  exists  to  download  utilities  that  may  contain  Trojan  horse 
programs,  such  as  the  “Back  Orifice”  Trojan,  with  any  client  computer  that  has  Internet 
access  using  an  application  proxy  and  a  firewall.  A  Trojan  of  this  nature  can  infest  itself 
within  the  machine  and  initiated  (outbound)  traffic  fi-om  the  host  to  coimect  to  hitemet 
Relay  Chat  (IRC)  servers  and  such.  If  the  harmful  program  is  initiated  fi-om  the  host  then 
BlackICE  will  not  provide  protection  and  the  system  is  vulnerable  to  widespread  attacks. 
The  danger  of  this  makes  it  imperative  that  a  good  host-based  ID  system  be  complete 
with  outgoing  traffic  monitoring  as  well  as  screening  all  incoming  traffic. 
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BlackICE  also  lacked  the  ability  to  block  ping  replies.  Both  ZoneAlarm  and 
Sygate  do  not  reply  to  ping  attempts  in  their  more  secure  modes.  At  first  glance  this  may 
not  seem  significant  because  a  ping  flood  cannot  be  stopped,  and  if  a  specific  IP  address 
is  targeted,  this  feature  has  no  benefit.  However,  if  an  IP  address  is  not  widely  known 
and  is  not  specifically  targeted,  this  feature  is  key.  By  not  replying  to  a  ping,  the 
computer  is  basically  in  stealth  mode,  and  an  attacker  scanning  a  range  of  IP  addresses 
will  not  detect  the  machine.  This  feature  can  prevent  an  attacker  from  ever  launching  an 
attack. 

All  three  ID  systems  offer  the  benefit  of  being  able  to  back  trace  a  suspicious 
packet.  This  feature  provides  system  administrators  the  ability  to  identify  and  report  the 
source  of  illegal  activity  to  the  proper  authorities.  Although  most  attackers  will  take 
measures  to  guarantee  their  anonymity,  it  is  still  a  useful  feature  for  reporting  intrusion 
attempts.  It  is  critical  to  protect  networks  from  intrusions,  but  it  is  also  important,  to 
identify  if  possible,  the  source  of  the  intrusion  attempts. 

Analysis  of  the  evaluation  criteria  key  elements  outlined  in  Chapter  3  follows: 

•  Effectiveness  of  intrusion  detection  -  All  three  programs  performed 
adequately  at  detecting,  reporting  and  preventing  intrusions. 

•  Effectiveness  of  security  protection  -  All  three  programs  provided  good 
protection  when  configured  in  their  most  secure  mode  (Internet  High  for 
ZoneAlarm,  Paranoid  for  BlackICE  and  Block  All  for  Sygate).  Sygate  blocks 
all  inboxmd  and  outbound  communications  in  this  configuration  isolating  the 
system.  ZoneAlarm  and  BlackICE  both  allowed  communications  to  continue 
while  maintaining  a  tight  security  posture.  hi  more  promiscuous 
configurations  the  protection  suffered.  BlackICE  revealed  2  open  ports  in 
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Nervous  mode,  18  open  ports  in  Cautious  mode  and  21  open  ports  in  Trusting 
mode.  Sygate  blocked  all  ports  but  allowed  the  host  name  to  be  resolved  in 
Normal  mode.  In  Allow  mode,  Sygate  correctly  logged  all  the  port  scan 
activity  but  revealed  all  open  ports.  ZoneAlarm  revealed  open  ports  in  both 
Intemet  Medium  and  Internet  Low  modes. 

•  Effectiveness  of  reaction  -  All  three  programs  performed  sufficiently  by 
quickly  and  effectively  blocking  port  scans  and  denying  access  to  connection 
attempts  fiom  FTP.  However,  BlackICE  and  Sygate  lack  a  pop-up  window 
alerting  the  user  to  the  attack.  Users  must  keep  their  eye  on  the  system  tray  to 
look  for  a  “blinking”  icon. 

•  User  interface  -  All  three  systems  were  easy  to  install  and  configure. 
BlackICE,  based  on  the  fact  that  it  doesn’t  employ  rule-based  monitoring,  was 
extremely  user  fiiendly  and  hands  off.  ZoneAlarm  and  Sygate  have  numerous 
pop-up  screens  that  require  the  user  to  allow  or  disallow  communications. 

Based  on  the  results  of  tests  conducted  and  the  interaction  with  each  of  the  ID 
systems.  Table  8  below  shows  a  breakdown  of  how  each  system  compares.  Each  feature 
is  graded  using  a  scale  of  1  -  10,  with  10  being  most  favorable. 


ID  SYSTEM 

ZONEALARM 

BLACKICE 

SYGATE 

EASE  OF  INSTALLATION  &  USE 

8 

9 

8 

CONFIGURABILITY 

9 

8 

9 

OVERALL  EFFECTIVENESS 

9 

8 

9 

USER  INTERFACE 

9 

7 

8 
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Although,  none  of  the  E)  systems  evaluated  satisfy  all  the  expectations  of  what  an 
ideal  ID  system  should  provide.  Each  system  did  provide  obvious  improvements  over  an 
unprotected  system  and  they  all  had  strengths  that  were  unique  to  their  program.  Sygate 
offered  password  protection  capability  so  that  an  administrator  could  install  the  program 
on  a  client  computer  and  prevent  the  user  from  changing  the  security  settings.  BlackICE 
was  the  least  intrusive  and  offered  the  widest  selection  of  security  profiles.  However, 
ZoneAlarm’s  ability  to  control  outbound  traffic,  hide  the  IP  address  from  scans  and 
display  pop-up  window  alerts  made  it  the  best  of  the  three  systems  tested. 
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V.  SUMMARY  AND  CONCLUSION 


A.  SUMMARY 

Secure  systems  are  essential  to  ensure  effective  infonnation  operations  and  protect 
network  security.  A  high  percentage  of  crackers  are  opportunists  who  run  scanners  to 
check  massive  numbers  of  hosts  for  remote  system  vulnerabilities.  A  typical  DoD 
organization  may  have  5  external  web  servers,  2  external  mail  servers,  and  a  firewall 
protecting  the  network.  Crackers  wanting  to  gain  access  to  the  organization’s  network 
will  commonly  target  these  servers.  Servers  located  outside  the  firewall  must  exchange 
information  with  servers  within  the  network  firewall.  This  provides  attackers  with  an 
enticing  target  of  opportunity  to  gain  access  to  the  internal  network  and  jeopardize  the 
security  of  the  entire  system.  Utilizing  a  host-based  ID  system  on  all  government 
network  computers  located  outside  the  firewall  would  provide  an  additional  level  of 
security  and  a  method  of  real-time  monitoring. 

In  addition,  using  a  defense-in-depth  approach,  host-based  ID  systems  would 
provide  system  administrators  with  a  valuable  utility  if  installed  on  all  client  computers 
throughout  the  network.  Similar  to  the  common  practice  of  utilizing  anti-virus  software 
as  a  security  precaution  to  protect  networks,  a  properly  designed  and  configured  host- 
based  ID  system  should  be  implemented  to  add  additional  safeguards  to  government 
networks.  The  effective  dq)loyment  of  host-based  ID  systems  would  consist  of 
individual  systems  installed  on  each  machine  throughout  a  network  with  a  centralized 
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reporting  mechanism  to  one  location.  This  would  enable  network  administrators  to 
efficiently  monitor  the  entire  network  for  malicious  activity. 

B.  CONCLUSION 

Although  the  ID  systems  tested  offer  significant  benefits  to  network  security,  none 
of  them  can  satisfy  all  the  requirements  of  an  ideal  program  for  government  use. 
However,  with  more  than  150  commercial  vendors  currently  in  the  industry,  a  system  can 
be  designed  to  meet  the  needs  of  protecting  government  networks.  As  a  result  of  this 
research  the  following  conclusions  have  been  reached.  First  and  foremost,  the  Host- 
based  ID  system  designed  for  the  government  must  come  from  a  trusted  vendor.  The 
risks  are  too  great  to  install  software  on  every  government  system  that  could  contain 
potentially  hazardous  code.  The  following  is  a  list  of  recommendations  to  be  considered 
in  determining  the  design  requirements  for  an  ideal  host-based  ID  system: 

•  Impose  minimal  overhead  on  the  system 

•  Observe  deviations  fi-om  normal  behavior,  yet  be  able  to  adapt  to  changes 
in  the  system  profile  that  occur  over  time 

•  Run  on  client  computers  but  report  to  a  central  monitoring  location 

•  Have  password  protection  to  prevent  individuals  fi-om  changing  the 
configuration  once  it  is  set-up 

•  Block  all  imauthorized  incoming  and  outgoing  traffic 

•  Accurate  signature  database,  with  timely  updates 

•  Be  extremely  difficult  to  fool 

•  Be  able  to  monitor  itself  to  recognize  if  it  has  been  subverted 

•  Allow  its  internal  working  to  be  examined  Jfrom  the  outside 

•  Be  able  to  back  trace  any  intrusion  attempts  to  help  identify  intruders 
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As  network  security  concerns  continue  to  increase,  the  need  for  additional  security 
measures  is  paramount.  The  tests  conducted  have  adequately  supported  that  host-based 
ID  systems  can  help  facilitate  such  security  enhancements.  Host-based  ID  systems  can  be 
utilized  to  increase  network  security  in  two  manners:  they  can  provide  a  shield  of 
protection  on  the  susceptible  servers  located  outside  the  network  firewall,  and  they  can 
work  in  conjunction  with  the  network  ID  system  by  providing  an  additional  layer  of 
protection  on  client  workstations  within  the  network  firewall.  Host-based  ID  systems  are 
relatively  inexpensive  and  easy  to  q>erate,  similar  to  anti-virus  programs,  and  can  provide 
the  overall  defense-in-depth  network  security  architecture  needed  to  safeguard  today’s 
systems. 

A  security  vulnerability  exists  that  affects  every  computer  system  in  the 
world  —  regardless  of  hardware  or  software.  This  vulnerability  extends 
worldwide;  it's  massive,  severe,  and  just  plain  scary.  Despite  years  of 
modifications  and  real-time  testing,  no  patch  is  currently  available.  First 
discovered  in  a  place  known  as  "The  Garden  of  Eden,"  a  serpent 
convinced  a  woman  called  Eve  that  eating  an  apple  would  provide  her 
knowledge  of  good  and  evil.  While  knowledge  of  good  and  evil  was 
indeed  imparted,  differentiating  between  the  two  was  apparently  not  part 
of  the  package.  [Ref  9] 


Vulnerabilities  may  always  exist,  but  they  can  be  made  difficult  to  find. 
Knowledge  of  an  impending  attack  gives  the  defender  the  advantage.  Host-based  ID 
systems  can  accomplish  both  tasks. 
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